AMENDMENTS TO THE SPECIFICATION 

Please amend the specification as indicated liereafter. It is believed that the 
following amendments and additions add no new matter to the present application. 

Please amend paragraph 0035 starting on page 6 as follows: 

The various governance groups 210-270 work together to ensure that the 
operational business units 291 297 291-298 are in compliance with external regulations 
and internal policies of the business organization 202. For example, the Compliance 
group 230 helps set and implement corporate policies regarding compliance activities. 
Other governance groups, such as Internal Audit 210, Security 220, and Ethics 240, 
then monitor the business units 291 297 291-298 to assure that the business units are 
complying with these corporate policies (regarding compliance activities). Further, a 
Business Controls group 270 implements control measures (and assigns responsibility 
for these control measures) to enable the business units 291 297 291-298 to comply 
with external regulations and internal policies. 

Please amend paragraph 0036 starting on page 6 as follows: 

In particular, the operational business units 291 297 291-298 perform the day-to- 
day business operations and functions for the business organization 202, where a 
particular business unit performs a particular role or operation for the organization 202. 
For example, the various operational business units 201 297 291-298 may include 
Advertising & Publishing, Corporate Technology, Finance, Human Resources, 
Network, etc. Each business unit 291 - 297 291-298 may also maintain their own 
database 129 of information (within the Integrated Governance system of FIG. 1) 
related to the business unit. 
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Please amend paragraph 0037 starting on page 7 as follows: 



Referring bacl< to tlie various governance groups for one embodiment, the 
Compliance group 230 has a reporting structure that starts with its board of directors 
and includes an active Compliance Policy Board. The Compliance Policy Board 
evaluates, reviews, and enhances company policy and standards. In particular, the 
Compliance Policy Board performs an integrity function to ensure that the company 
creates policies that are in alignment with other policies across the organization 202. 
The Compliance Policy Board also evaluates ethics and integrity issues and anticipates 
trends in company ethics; conducts reviews of the effectiveness of compliance activity 
in the operational business units 291 297 291-298 : and reviews discipline policy to 
ensure consistent enforcement of organizational standards. Additionally, the 
Compliance group 230 contains integral members of the operational business units 294- 
297 291-298 . The integral members of the business units help ensure that all 
compliance activities flow through the business units 201 297 291-298 . For example, a 
"Compliance Senior Leader" is ultimately responsible for ensuring that the business 
units' business control processes are in place and will help ensure that the business unit 
is in compliance with applicable laws and regulations and with organizational standards 
and policies. A "Compliance Coordinator" performs periodic reviews of the inventory 
and risk assessment; implements and monitors the yearly action plan and associated 
reports; and makes periodic reports to the Compliance Policy Board. Further, "Subject 
Matter Experts" are typically lawyers or operational experts who provide advice and 
guidance around defined core areas of compliance in the company. A sample list of 
core compliance areas for one embodiment is shown in FIG. 3. 
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Please amend paragraph 0038 starting on page 7 as follows: 



The Business Controls group 270 is typically provided to address risk 
management and business control issues within the organization 202. In particular, the 
Business Controls group 270 serves as a consultative group to the operational business 
divisions (or units) 291 297 291-298 within the company. At the units' request, the 
Business Controls group 270 assesses risks of operational business processes and 
define business control needs. The Business Controls group then works hand-in-hand 
with business units 291 297 291-298 to develop adequate business controls to mitigate 
the risks present in these processes. With a separate Business Controls group 270, the 
separate and objective perspective of Internal Auditing 210 is maintained, while the 
Business Controls group 270 can work throughout the year with the business units 294- 
297 291-298 . 

Please amend paragraph 0039 starting on page 8 as follows: 

In some embodiments, the Business Control group 270 also conducts forensic 
data analysis, among other activities, to test data integrity across the business 
organization 202 and to identify problems that are not evident at the process level. For 
example, business units 291 297 291-298 can request data analysis as the units 294- 
297 291-298 are releasing new products or processes. Data analysis can also be done 
from an organizational perspective to ensure that existing business processes are 
working correctly. 
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Please amend paragraph 0040 starting on page 8 as follows: 

To determine business control levels for core compliance areas, the Business 
Controls group 270 (or a Business Controls group member or a respective business unit 
working In collaboration with the Business Controls group/member) follows a unified 
process 300 400 . as shown in FIG. 4. First, this unified process includes identifying 
(410) associated business processes for a respective business unit. Further information 
is also identified (420-440), such as core compliance areas (applicable regulations, 
laws, and rules); current business controls (policies, procedures, training, audits); and 
the current legal and operational subject matter experts for the respective business unit. 
To aid in compiling the aforementioned information, an inventory template or form may 
be used. By reviewing the obtained information and conversing with the subject matter 
experts, the compliance gaps and risks are ascertained (450). For example, the risks 
may identify what can happen or go wrong with the current business processes, and the 
gaps may identify what compliance measure or practice should be happening that is 
not. The gaps and risks are then prioritized (e.g., from most likely to least likely, for 
example) and assigned (460) a risk rating. The risk rating (e.g., senior management 
intervention, significant operations review, etc.) describes the level of operational action 
that should be taken if a potential risk occurs. To determine the risk rating, the impact 
or consequences of a potential risk (financial, physical, human, or intangible) and the 
probability or likelihood that the risk will occur are taken into account. Therefore, a 
particular risk that is likely to occur and would have a significant impact receives a 
higher risk rating than another risk that is unlikely to occur and would have a significant 
impact. The probability of each risk is plotted (470) versus the impact of the risk to form 
the Risk Assessment Matrix for the respective business unit. 
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Please amend paragraph 0041 starting on page 9 as follows: 



The Risk Assessment IVIatrix 500 helps evaluate impact over risk of occurrence 
in all core compliance areas for business units 291 - 297 291-298 as shown in FIG. 5. A 
color-coded assessment process 510 is used to easily and visually identify and 
understand the levels of risk. (Colors in FIG. 5 are represented by cross-hatched 
shading, as shown.) Accordingly, instead of showing that a risk Is a "high risk" or a "low 
risk," the Matrix 500 provides the level of business controls that should be used from an 
operational standpoint. Accordingly, if a risk has a potentially extreme impact on the 
business organization 202 (even if the proper business controls are already in place), 
the risk is assigned a "significant operations review" rating. The Risk Assessment 
Matrix 500 process provides the company with a quick snapshot of all risk areas for all 
business units 291 297 291-298 . Typically, each business unit 291 297 291-298 
completes this process for all core compliance areas. Accordingly, a summary 600 of 
risk assessment by business units may be constructed, as shown in FIG. 6, for the 
whole organization 202 (or enterprise). The summary 500 of risk assessment can then 
be used to form an organization-wide view of the planned business control levels for 
core compliance areas, as shown in FIG. 7. Note, if a particular business units does not 
have risks in certain areas, then the particular business unit does not analyze risks in 
these areas. 
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Please amend the paragraph following paragraph 0041 starting on page 9 as 
follows: 

From the Risk Assessment Matrix 500, action plans are developed and 
implemented (480) by the Business Controls 270 group/member (in possible concert 
with the business units) to resolve the risks and/or gaps present in current business 
practices. Action plans may require policy changes, training, etc. Monitoring (490) of 
the effectiveness of the actions plans for the business units are perfonned at an 
organizational level (e.g., corporate level). For example, in some embodiments, the 
Compliance Group 230 continually monitors areas that need senior management 
intervention or significant operations review to ensure that adequate preventive, 
detective, and corrective business controls are in place and intervenes, when 
necessary, to drive proper action on gaps identified through risk assessment. A Subject 
Matter Expert in the appropriate Legal group 260 or operational business unit 291 207 
291-298 is then responsible for validating these business controls and alerting 
personnel of emerging issues in a particular governance area. If the business controls 
are not deemed adequate by the Compliance Group 230 or Legal group 360, for 
example, the business unit 2 91 29 7 291-298 and the Compliance Group 260 work 
together to implement effective controls (regardless of whether the risk at issue is only 
present in one business unit out of a multitude). The inventory and risk assessment 
documents are normally reviewed yearly for the summarized Risk Matrix 500 and action 
plan by the business units 291 297 291-298 . Further, when organizational changes 
occur and when changes In rules, laws, and/or regulations occur, these documents are 
reviewed by all the business units 291 297 291-298 . 
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Please amend paragraph 0048 starting on page 12 as follows: 



With a multitude of governance databases 122-128 in the Integrated Governance 
system 100, operational business units 201 207 291-298 may find it difficult to obtain 
and grasp pertinent governance data regarding their respective business units 291 - 297 
291-298 . Consider that a large company or corporation may have the following 
governance data points over a six-month period: 

> 58 Audit Engagements with 401 control points 

> 347 Security Investigations 

> 1 94 Ethicsline Allegations 

> 85 Ethicsline Calls for Advice 

> 14 Business Control issues 

> 3700 People Trained on Compliance Initiatives 

Please amend paragraph 0052 starting on page 13 as follows: 

As stated, FIG. 18 is a flowchart describing one embodiment 1800 of the 
Integrated Governance process. First, information from various governance sources 
from across the entirety of the corporation are selectively gathered and compiled (1810) 
together regarding issues of interest. For example, in order to review levels of 
compliance within a business organization 202, governance sources may Include 
databases of governance groups or agencies and any other database that Is likely to 
contain reports or allegations of company noncompliance. Next, under a common 
analytical process, the compiled information is reviewed (1820) (by Integrated Team 
members having experience in the issues of interest and the various business units) to 
determine if significant issues exist. Further, owner(s) of the identified issue(s) are 
determined (1830) from among the various business units 291 297 291-298 . 
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Please amend paragraph 0057 starting on page 1 5 as follows: 

After all team 280 members complete their templates for all the governance 
areas, the data from each template is discussed within the Integrated Governance team 
280 and re-organized (or prioritized) to reflect issues that are significant or that are 
occurring in multiple governance reports. These issues are then compiled as emerging 
issues. Emerging issues are either new to the business organization 202 or are being 
observed across more than one business unit. By considering all the issues that are 
occurring across the business units 291 297 291-298 of an organization at one time, the 
Integrated Governance team 280 can understand the root causes of these issues within 
a common analytical process (as mentioned in step 1820 of FIG. 18) that takes 
advantage of the collective knowledge of the members of the Integrated Governance 
team 280. 

Please amend paragraph 0070 starting on page 20 as follows: 

Hence, one end result of the Integrated Governance process 1800 is that the 
Integrated Governance team 280 helps the operation business units 291 - 297 291-298 
understand a problem that was emerging across the company. In this example, the 
Integrated Governance team 280 identified the problem, analyzed the root cause, and 
then worked to develop and implement an appropriate solution. This saved time for the 
business units 291 297 291-298 and ultimately reduced fraud and the potential firing of 
high-performance employees. 
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Please amend paragraph 0073 starting on page 21 as follows: 



By leveraging a stable and strong compliance program, the function of the 
compliance program evolves into something more meaningful to the operational side of 
a business organization 202. Further, the operational business units 291 - 297 291-298 
are active participants In all steps of the Integrated Governance process. Via the 
Integrated Governance process, the Integrated Governance team 280 assists 
operational business units In more than just compliance Issues. For example, the 
Integrated Governance team 280 can provide guidance to business units on what to do 
from a compliant stand point and a governance standpoint (auditing, securities, what 
has highest priority, highest risk, etc.). 
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